b"         SENSITIVE BUT UNCLASSIFIED\n\n        United States Department of State\n      and the Broadcasting Board of Governors\n                Office of Inspector General\n\n\n\n\n                Memorandum\n\n              Report of Inspection\n\n\n     Summary of FY 2004\n\nInformation Systems Security\n\n           Issues\n\n    Report Number IT-I-05-01, March 2005\n\n\n\n\n                               IMPORTANT NOTICE\n  This report is intended solely for the official use of the Department of State or the\n  Broadcasting Board of Governors, or any agency or organization receiving a copy\n  directly from the Office of Inspector General. No secondary distribution may be\n  made, in whole or in part, outside the Department of State or the Broadcasting\n  Board of Governors, by them or by other agencies or organizations, without prior\n  authorization by the Inspector General. Public availability of the document will\n  be determined by the Inspector General under the U.S. Code, 5 U.S.C. 552.\n  Improper disclosure of this report may result in criminal, civil, or administrative\n  penalties.\n\n\n\n          SENSITIVE BUT UNCLASSIFIED\n\n\x0c                            TABLE OF CONTENTS\n\n\nS UMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nGLOBAL SYSTEMS SECURITY ISSUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                        3\n\n     Information Systems Security Officer Program . . . . . . . . . . . . . . . . . . . . . .                               3\n\n     Information Management and ISSO Oversight . . . . . . . . . . . . . . . . . . . . . .                                  4\n\n     Patch Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                      6\n\n     Planning Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                 7\n\n     Local Change Control Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                   8\n\nREGIONAL BUREAU-SPECIFIC OBSERVATIONS . . . . . . . . . . . . . . . . . . . . . . . . .                                   11\n\n     Bureau of African Affairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .              11\n\n     Bureau of European and Eurasian Affairs . . . . . . . . . . . . . . . . . . . . . . . . .                            12\n\n     Bureau of Near Eastern Affairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                   12\n\n     Bureau of East Asian and Pacific Affairs . . . . . . . . . . . . . . . . . . . . . . . . . .                         13\n\nCONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15\n\nR ECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17\n\nAPPENDIX A - 2004 IT SECURITY INSPECTIONS . . . . . . . . . . . . . . . . . . . . . . . . 19\n\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n                                       SUMMARY\n\n    The end of another year presents an opportunity for the Office of Inspector\nGeneral (OIG) to report the most important information systems security concerns\nidentified during the FY 2004 inspections. OIG inspected more than 40 posts and\nbureaus, gaining valuable insight into the Department of State\xe2\x80\x99s ongoing informa-\ntion systems security effort. Modernizing the global information technology (IT)\nsystems, a move championed by Secretary Colin L. Powell and executed by the\nChief Information Officer (CIO), is proving successful. Installing advanced\ninformation systems, however, must be met with an equivalent advancement in\nsystems security. It is here where the Department can improve its performance.\n\n     The inspections of FY 2004 uncovered systems security issues that cross\nregional and bureau boundaries, allowing OIG to suggest several areas for improve-\nment Department-wide. The Information Systems Security Officer (ISSO) program\nis struggling at several posts. Patch management procedures and other essential\nemergency planning and recovery documentation are missing or inadequate. Sev-\neral change control boards (CCB) at posts are noncompliant with Department\nguidelines.1 At the root of these and other problems, management\xe2\x80\x99s guidance and\noversight of IT security practices needs improvement. OIG discusses these issues\nbelow and also provides an overview of the issues specific to the bureaus inspected\nin FY 2004.\n\n\n\n\n1\n CCBs are local forums of IT staff and usually regional security officers (RSOs) who discuss software and\nhardware issues at posts and approve use of nonstandard software to support post operations, when\nfully justified.\n\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005               1 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c      SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n2 .   OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n      SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n   GLOBAL SYSTEMS SECURITY ISSUES\n\n\n\nINFORMATION SYSTEMS SECURITY OFFICER PROGRAM\n    The ISSO program is struggling to take hold in many locations. Roughly a third\nof the inspections reported shortcomings in the ISSO program, with many posts\nhaving severe infractions.2 Common findings include the following:\n    \xe2\x80\xa2\t failure to perform and document random checks of user libraries and\n       mailboxes for classified material stored on unclassified systems, to include\n       checks for unapproved material (11 inspections);\n    \xe2\x80\xa2\t essential systems security documentation is missing or inadequate (15\n       inspections);\n    \xe2\x80\xa2\t users observed not locking workstations while away from their desk (five\n       inspections);\n    \xe2\x80\xa2\t inadequate communication among management, U.S. and foreign service\n       national IT personnel, and RSOs (five inspections);\n    \xe2\x80\xa2\t inadequate separation of duties among system managers, information\n       management officers (IMOs), and ISSOs, leading to weak internal control\n       of IT resources (11 inspections);\n    \xe2\x80\xa2\t incomplete coordination between IT and human resource (HR) staff to\n       deactivate or delete user accounts of departing employees, especially for\n       users with multiple accounts and administrative rights;\n    \xe2\x80\xa2\t a lack of proper enforcement not only of the policies in place, but also of\n       management\xe2\x80\x99s responsibility to ensure that ISSO functions are properly\n       carried out; and\n    \xe2\x80\xa2\t configuration settings that deviate from Department standards.\n\n\n\n\n2\n  A single inspection may include several geographic locations and include embassies and consulates gen-\neral, or offices in the Washington bureaus.\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005              3 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n          In accordance with Department requirements (12 FAM 600), the ISSO is\n      responsible for implementing the Department\xe2\x80\x99s information systems security\n      program on all classified and unclassified automated information systems. He or\n      she should advise the security officer on automated information systems security\n      issues and work closely with the systems manager, other ISSOs, and the informa-\n      tion programs officer. Throughout this process, the ISSO should ensure risk is\n      mitigated to an acceptable level.\n\n           Most posts understood the importance of improving their ISSO practices.\n      However, frequently posts were aware of inadequacies but did not have the staff\n      to fully support the ISSO program. Deficiencies in the ISSO program were gener-\n      ally in two areas: (1) a lack of trained information systems security personnel, and\n      (2) insufficient prioritization, guidance, oversight, and accountability from senior\n      and middle management. It is the CIO\xe2\x80\x99s responsibility to provide the ISSOs with\n      proper guidance to carry out their work requirements. The Enterprise Network\n      Management Office (ENM) is developing a toolset to automate many of the\n      ISSO\xe2\x80\x99s tasks. This is a welcome step to improve the program, but more must be\n      done to fulfill the mandate issued more than four years ago to implement successful\n      ISSO programs at every post (12 FAM 600).\n\n\n         Recommendation 1: The Chief Information Officer must ensure that the\n         information systems security officer\xe2\x80\x99s duties and responsibilities are prioritized\n         such that not fulfilling them translates into unacceptable performance for the\n         information management officer and the information systems security officer.\n\n\n\n\n      INFORMATION MANAGEMENT AND ISSO OVERSIGHT\n          IMOs at several posts appear unaware of all their security responsibilities.\n      These managers are tasked with creating successful ISSO programs through proper\n      training, guidance, and accountability. Their position descriptions often lack\n      specific details regarding required IT security responsibilities. A successful infor-\n      mation management and systems security program at post translates into a success-\n      ful embassy evaluation.\n\n          Six inspections showed fragmentary or nonexistent work requirements for\n      ISSOs. Eleven inspections revealed incomplete, nonexistent, or undocumented\n      random checks of user libraries, documents, and mailboxes for unapproved\n\n\n\n4 .            OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n                SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\nmaterial or classified material on unclassified machines. In four instances, inappro-\npriate sexual material was found. Another site had more than 50 gigabytes of\nunapproved material on its servers, dramatically affecting backup times and\nwasting valuable resources.\n\n    Two sites had no ISSO program, in practice or in writing. Many other locations\nwere not training their security staff to perform the most basic ISSO duties. Nearly\nevery infraction was the result of inadequate training in or oversight of information\nsystems security practices. Successful security programs require fully trained\nmanagement and staff capable of the critical task of securing the Department\xe2\x80\x99s\nsystems.\n\n   Communication among IT personnel at posts could also improve. Inspections\nshowed numerous instances where problems could be avoided if IT staff had more\nopen lines of communication.\n\n    The Department could benefit by drawing on the resources and success of the\nembassies to pull up the constituent posts within their domain. Improved regional\nsupport would also provide help to remote posts that need it but cannot justify\nadditional full-time personnel. This is especially true of posts in Africa, which are\nnot only short-handed, but whose less experienced specialists are required to\naccomplish more work. If the Department cannot staff the numerous hard-to-fill\npositions in a region, then it must increase the regional support to fill the gaps.\nOIG expects to release a report in 2005 regarding the support provided by Regional\nInformation Management Centers (RIMC).\n\n    Overall, the quality of information management and ISSO oversight at posts is\npoor. The ISSO program at posts is lacking the adequate training and oversight of\ninformation systems security practices needed to be effective.\n\n\n   Recommendation 2: The Chief Information Officer should coordinate with\n   the Director General to ensure that position descriptions for the information\n   management officers include specific details regarding required information\n   technology security responsibilities.\n\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005   5 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n           PATCH MANAGEMENT PROCEDURES\n               Over time, most software is discovered to have flaws that, if not fixed, can\n           leave a computer open to disruption or attack. Patches are released to fix these\n           flaws, and they are a vital part in any effective information systems security effort.\n\n               Six inspections revealed patch management procedures that do not comply with\n           5 FAM 866. Patch management objectives must include: applying patches in a\n           timely manner; proper documentation of patch status; coordination among IT staff,\n           management, and users; and notices sent to the Department indicating compliance\n           with these objectives.\n\n                The Department is addressing patch management issues with mixed results. It\n           has successfully deployed a tool that automates much of the patch application\n           process. Posts, however, are not accessing the full potential of this tool. Some\n           posts do not patch their systems regularly. Many posts still apply patches individu-\n           ally and do not know how to automate this process, even though the training is\n           available online. Recent statistics from ENM\xe2\x80\x99s patch bulletin web site indicate a\n           majority of posts are not installing patches, as shown in figure 1.\n\n\n\n\n                           Figure 1: Patch Management at 274 Department Sites\n            22.3% (61 sites)                                                               RED Status (not w ithin\n                                                                                           operational tolerances)\n                                                                                           YELLOW Status (borderline\n                                                                                           tolerances)\n                                                                                           GREEN Status (w ithin operational\n      15.3% (42 sites)                                          62.4% (171 sites)          tolerances)\n\n\n\n\n                               Source: http://enm.irm.state.gov (as of December 17, 2004).\n\n\n\n               Some IT personnel abroad dispute these numbers and say that the reporting\n           tool is flawed. Nevertheless, the numbers are consistent with OIG findings that\n           patch management at posts needs marked improvement.\n\n\n\n6 .                      OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n    Many reasons are given as to why patch management is unsuccessful thus far.\nMany posts want the freedom to administer their systems as they see fit, rather than\nhaving them remotely administered from Washington. Other posts cite a shortage\nof staff, uninformed staff, and the continuous release of patches as contributing\nfactors. Regardless of the reason, the patch management status quo is not tenable.\nA CIO initiative to enforce appropriate patch management procedures abroad\nwould substantially lessen vulnerabilities to the Department\xe2\x80\x99s information systems.\n\n\n   Recommendation 3: The Chief Information Officer should establish\n   written guidance and procedures on what actions will be taken if overseas\n   posts do not install the patches the Department releases.\n\n\n\n\nPLANNING DOCUMENTATION\n    Documenting procedures is a vital step in proper information systems manage-\nment. Often, having a recovery plan in place can reduce downtime from days to\nhours or less in the event of a system failure. Documentation is also necessary for\nbudgeting and staffing reasons. Often, specialists are rotated into areas needing\nimmediate assistance, such as Embassy Baghdad and its supporting posts. They are\ntypically the Department\xe2\x80\x99s most knowledgeable IT personnel, and their rotation\nplaces acute shortages at home posts. Having written documentation noticeably\nimproves the learning curve for replacement specialists at post, saving valuable\ntime and money and ultimately providing better service. Moreover, not having this\nbasic paperwork shows that a post does not understand or is not following Depart-\nment procedures.\n\n    During its inspections, OIG found many of the required post-specific docu-\nments either incomplete or nonexistent. Key documents include, but are not\nlimited, to the following:\n    \xe2\x80\xa2\t Contingency Plans, which are designed to ensure continuity of operations\n       under adverse conditions and should operate in conjunction with the\n       Emergency Action Plan and with other posts, providing automated\n       information systems backup processing capabilities. (13 inspections)\n    \xe2\x80\xa2\t Information Systems Security Plans provide an overview of automated\n       information systems security and the means for improving the protection\n       of IT resources. They also delineate the responsibilities and expected\n       behaviors of all individuals accessing the systems. (11 inspections)\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005   7 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c                SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n         \xe2\x80\xa2\t IT Budget Plans must include the planned life cycle of all Information\n            Program Center assets and current and future IT projects and services.\n            They should look to future IT needs and plan accordingly. (4 inspections)\n         \xe2\x80\xa2\t Other such documents as topology maps, wiring diagrams, and patch\n            management procedures must be current and tested frequently. (multiple\n            inspections)\n          Overall, nearly half of the inspections uncovered problems within documenta-\n      tion.\n\n\n         Recommendation 4: The Chief Information Officer should inform the\n         posts and bureaus of the requirements for information systems documenta-\n         tion and develop and implement procedures for verifying and validating that\n         all requirements are met.\n\n\n\n\n      LOCAL CHANGE CONTROL BOARD\n          The local CCB provides a forum for IT staff and RSOs to discuss whether or\n      not to allow new software or hardware onto the post\xe2\x80\x99s IT systems. Though most\n      posts have a local CCB, OIG found many were not fully cognizant of their role.\n      OIG reminds bureaus that:\n\n         1.\t posts are required to inform the Department regularly of their CCB deci-\n             sions;\n\n         2. \t posts should inform users of CCB decisions, including any penalties for\n              noncompliance; and\n\n         3.\t as stated in 12 FAM 425 (a), RSOs play an integral part in systems security\n             and must regularly work with ISSOs to form a cohesive security team at\n             post.\n\n          An additional concern is the growing use of Universal Serial Bus (USB) drives,\n      also known as \xe2\x80\x9cpen\xe2\x80\x9d or \xe2\x80\x9cthumb\xe2\x80\x9d drives. A single USB drive may have a gigabyte or\n      more of storage space, which is ample room to store unapproved software, inappro-\n      priate material, classified material, or even an entire operating system undetectable\n      by IT personnel. The Department currently defers to posts the choice to approve\n      or disapprove the use of USB drives. This leads to different, even contradictory,\n      policies at posts or even no policy at all.\n\n8 .            OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n                SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n    The Department should determine the appropriate use of USB drives, and OIG\nadvises the development of a Department-wide policy regarding their use.\n\n\n   Recommendation 5: The Chief Information Officer should develop policy\n   and implementing guidance on the use of Universal Serial Bus storage drives\n   on all Department systems.\n\n\n   In the interim, OIG urges local CCBs that currently use USB drives to establish\nand enforce a USB drive policy, with input from the RSO.\n\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005   9 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n10 .   OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n       SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n                 REGIONAL BUREAU-SPECIFIC\n                      OBSERVATIONS\n\n\n     This section highlights areas of concern within the bureaus OIG inspected\nduring FY 2004. Although each bureau had its own specific issues, such as power\noutages, lack of training, unapproved Internet connections, and missing documen-\ntation, OIG found that issues such as the deficiencies in the ISSO program as well\nas shortages in personnel span across several bureaus.\n\n\n\nBUREAU OF AFRICAN AFFAIRS\n    Posts in Africa operate with a high number of first-tour officers and specialists,\nincluding IMOs. Most posts are understaffed and lack sufficient IT training,\nfunding, and infrastructure. Positions are frequently difficult to fill and often\nstaffed, if at all, by inexperienced managers and specialists. For example, the IMO\nposition was vacant for nearly a year in Embassy Addis Ababa, and Embassy\nLesotho had no IMO. Temporary duty employees were often used to fill manage-\nment positions, but churning through managers often has negative results. Em-\nbassy Asmara had six management officers in eight months, and Embassy Djibouti\nhad seven in three years. OIG addressed these concerns in May 2004.3\n\n    Power outages are a regular event in Africa and have caused significant damage\nto IT equipment at Embassies Addis Ababa and Mbabane. Although outages are to\nbe expected in underdeveloped areas, the Department should encourage all posts in\nAfrica to test and reevaluate the adequacy of uninterruptible power supplies, surge\nsuppression devices, and generators to avoid further damage to equipment. More\nregional support would help. Additionally, replacement parts and technicians\nshould be available to repair dilapidated equipment in a timely manner.\n\n\n\n\n3\n    See Strengthening Leadership and Staffing at African Hardship Posts (ISP-I-04-54).\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005   11 .\n\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                 SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n       BUREAU OF EUROPEAN AND EURASIAN AFFAIRS\n           European posts are among the best funded and well equipped in the Depart-\n       ment. Despite this, many are not meeting their IT security and systems manage-\n       ment responsibilities. Half of the European inspections in 2004 revealed notable\n       deficiencies in their ISSO programs. A basic ISSO duty is to check and document\n       the search for unapproved or inappropriate material. Embassies Athens, The\n       Hague, Prague, Ankara, and Consulate General Istanbul did not perform this basic\n       task. Management control of the ISSO program and site security needs improve-\n       ment to ensure the proper oversight of IT practices.\n\n           Department policy requires separation of duties in information systems man-\n       agement. European posts, though largely cognizant of their ISSO duties, often\n       claim that they are short-handed and cannot properly staff IT and ISSO positions.\n       Thus, IT specialists perform both system management and systems security duties.\n       This arrangement, though tolerable in small posts with a limited user base, is not\n       acceptable in large posts critical to U.S.-European relations. Separating manage-\n       ment and security provides vital checks and balances.\n\n           As mentioned previously, posts must apply the Department\xe2\x80\x99s approved patch\n       across all Department software. (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n       (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n       (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n       (b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)(b) (2)\n       (b) (2)(b) (2)(b) (2)(b) (2)(b) (2) .\n\n\n       BUREAU OF NEAR EASTERN AFFAIRS\n           The Bureau of Near Eastern Affairs (NEA) is struggling to realize the full\n       potential of the ISSO program. The bureau\xe2\x80\x99s ISSO, for example, claimed to work\n       on ISSO-related duties for only 15 minutes a day. As a result, the inspection team\n       found many problems with basic systems security, including:\n       \xe2\x80\xa2\t users not given the required security briefing before account access, nor a\n          yearly security refresher;\n       \xe2\x80\xa2\t external Internet connections that were unapproved;\n       \xe2\x80\xa2\t an acute lack of documentation of all kinds;\n       \xe2\x80\xa2\t and configuration settings that differ from Department standards.\n\n\n\n12 .            OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n                 SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n   IT personnel in NEA thought that they were in general compliance with\nDepartment security guidelines. This indicates a lack of training for IT and other\nNEA staff. NEA told OIG that it is addressing the issues that OIG\xe2\x80\x99s inspections\nfound.\n\n    NEA posts abroad have many of the same problems facing the Department as\na whole. Posts are hampered by personnel shortages as staff are rotated to support\nEmbassy Baghdad. Four of the five inspections of NEA posts contain classified\nIT findings. For more information, see the classified security reports for Embassies\nAbu Dhabi, Doha, Kuwait, and Muscat.\n\n\n\nBUREAU OF EAST ASIAN AND PACIFIC AFFAIRS\n    The Bureau of East Asian and Pacific Affairs (EAP) is, like NEA, struggling to\nmeet the requirements of the ISSO program. EAP had two IT specialist vacancies\nduring the inspections, a common explanation for gaps in information systems\nsecurity. Essential planning and emergency recovery documentation was also\nmissing, as was the assignment of a qualified alternate ISSO. Patch management\nprocedures were also inadequate. Additional staffing and increased awareness of\nthe Department\xe2\x80\x99s requirements should help alleviate these problems.\n\n    EAP posts abroad experienced the same problems found throughout the\nDepartment, including notable deficiencies in ISSO programs. One inspection\nrevealed a consulate general with no ISSO program, and another so weak that it\nwas de facto nonexistent.\n\n    Many posts in this region are similar to those in Africa, where OIG said that\nincreased regional support could offset a lack of permanent IT specialists. This is\nespecially true in China.\n\n    For more information systems security issues at EAP posts, please see the\nclassified security reports for RIMC Bangkok and Embassies Bangkok, Beijing,\nSeoul, and Ulaanbataar.\n\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005   13 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n14 .   OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n       SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n                                  CONCLUSION\n\n    The continuing effort to modernize the Department\xe2\x80\x99s information systems is\nproving successful. An equal challenge, however, continues to be the proper\nmanagement and security of these advanced systems. OIG recognizes this chal-\nlenge and commends the Department\xe2\x80\x99s efforts thus far. Improvements in the ISSO\nprogram, patch management and emergency documentation, local CCB operations,\nand management and oversight of these areas will help provide the Department\nwith the means necessary to meet its information systems security challenges.\n\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005   15 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n16 .   OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n       SENSITIVE BUT UNCLASSIFIED\n\x0c                    SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n                         RECOMMENDATIONS\n\nRecommendation 1: The Chief Information Officer must ensure that the informa-\n  tion systems security officer\xe2\x80\x99s duties and responsibilities are prioritized such that\n  not fulfilling them translates into unacceptable performance for the information\n  management officer and the information systems security officer.\n\nRecommendation 2: The Chief Information Officer should coordinate with the\n  Director General to ensure that position descriptions for the information\n  management officers include specific details regarding required information\n  technology security responsibilities.\n\nRecommendation 3: The Chief Information Officer should establish written\n  guidance and procedures on what actions will be taken if overseas posts do not\n  install the patches the Department releases.\n\nRecommendation 4: The Chief Information Officer should inform the posts and\n  bureaus of the requirements for information systems documentation and\n  develop and implement procedures for verifying and validating that all require-\n  ments are met.\n\nRecommendation 5: The Chief Information Officer should develop policy and\n  implementing guidance on the use of Universal Serial Bus storage drives on all\n  Department systems.\n\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005   17 .\n\n                    SENSITIVE BUT UNCLASSIFIED\n\x0c       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n18 .   OIG Report No. IT-I-05-01, Summary of FY 2004 Information Systems Security Issues, March 2005\n\n\n       SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n\n                                    APPENDIX A\n\n                                  2004 IT Security Inspections\n\n\n\n Bureau of East Asian       Embassy Bangkok,           Embassy Kathmandu.         Embassy Ulaanbataar.\n and Pacinc Affairs         Thailand & Constituent     Nepal                      Mongolia\n                            Posts\n\n Bureau of Educational      Bangkok Financial          Embassy Khartoum,          Embassy Yaounde,\n and Cultural Affairs       Service Center             Sudan                      Cameroon\n\n Bureau of international    Management                 Embassy Kuwait,            European Logistical\n lnfornlation Programs      Assessment Review          Kuwait                     Support OffiCI:,\n                            (MAR) of Embassy                                      Antwerp, Bclgium\n                            Bangui, Central African\n                            Republic\n Bureau of Near Eastern     Embassy Beijing, China     Embassy Luxembourg,        U.S. Mission to the\n Affairs                    & Constituent Posts        Luxembourg                 European Union,\n                                                                                  Brussels, Belgium\n Bureau of South Asian      Embassy Berlin,            Embassy Maseru,            U.S. Mission to the\n Affairs                    Gemlany & Constituent      Kingdom of Lesotho         North Atlantic Treaty\n                            Posts                                                 Organization\n Compliance Follow<up       Embassy Brussels.          Embassy Mbabane.\n Review (CFR) Embassy       Belgium                    Swaziland\n Lisbon, Portugal &\n Ponta Delgada\n\n Embassy Abu Dhabi &        Embassy Colombo. Sri       Embassy Muscat. Oman\n CG Dubai, UAE              Lanka\n\n\n Embassy Addis Ababa,       Embassy Dhaka,             Embassy N'Djamena.\n Ethiopia                   Bangladesh                 Chad\n\n\n Embassy Amman,             MAR of Embassy Dili,       Embassy Nicosia.\n Jordan                     East Timor                 Cyprus\n\n\n Embassy Ankara.            Embassy Djibouti,          Embassy Prague, The\n Turkey & Constituent       Republic of Djibouti       Czech Republic\n Posts\n Embassy Asmara,            Embassy Doha, Qatar        Embassy Pretoria, South\n Entrea                                                Africa & Constituent\n                                                       Posts\n Embassy Athens, Greece     Embassy The Ilague,        Embassy Seoul,\n & CG Thessaloniki          Netherlands                Republic of Korl:a\n\n\n\n\nOIG Report No. IT-I-05-0I, Summary of FY 2004 Information Systems Security Issues, March 2005             19 .\n\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c"